IETF Logo Mail Archive

Re: [DNSOP] How Slack didn't turn on DNSSEC

Viktor Dukhovni <ietf-dane@dukhovni.org> Wed, 01 December 2021 21:06 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2D7C3A0B08 for <dnsop@ietfa.amsl.com>; Wed, 1 Dec 2021 13:06:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SRYBs5LUWEaK for <dnsop@ietfa.amsl.com>; Wed, 1 Dec 2021 13:06:31 -0800 (PST)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F33E3A0B06 for <dnsop@ietf.org>; Wed, 1 Dec 2021 13:06:31 -0800 (PST)
Received: from smtpclient.apple (unknown [63.88.3.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by straasha.imrryr.org (Postfix) with ESMTPSA id 12A8EEDB48 for <dnsop@ietf.org>; Wed, 1 Dec 2021 16:06:30 -0500 (EST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <D6858547-9D32-4990-807F-01C22F2B8B3C@rfc1035.com>
Date: Wed, 01 Dec 2021 16:06:24 -0500
Content-Transfer-Encoding: quoted-printable
Reply-To: dnsop@ietf.org
Message-Id: <E6A484B5-4276-4CA6-B441-43A8AD4D36AA@dukhovni.org>
References: <20211130183809.04E8230CA390@ary.qy> <3F49C6AE-D270-4EF5-996B-26B808753350@dukhovni.org> <20211201184909.32rsf3aopxpedh2j@crankycanuck.ca> <D6858547-9D32-4990-807F-01C22F2B8B3C@rfc1035.com>
To: dnsop@ietf.org
X-Mailer: Apple Mail (2.3654.120.0.1.13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/B7hx4iIoLwdUuYfrSdyRariJ4BE>
Subject: Re: [DNSOP] How Slack didn't turn on DNSSEC
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Dec 2021 21:06:36 -0000

> On 1 Dec 2021, at 2:37 pm, Jim Reid <jim@rfc1035.com> wrote:
> 
>> Wouldn't that create a vicious circle in which the only way to start operating DNSSEC is already to have operated DNSSEC?
> 
> I think we’ve been in that vicious circle (or downward spiral) for several years now.

The graph at: https://stats.dnssec-tools.org/images/totalds.svg
does not look like a downward spiral to me.

But I also don't agree with Paul that one needs to be an expert to play
the game.  Tools are improving, and spinning up working DNSSEC with Knot,
BIND 9.16+, ... is increasingly easier.

Where things get more complex is in API integration with cloud providers,
bugs in the provider implementation that's recent and not fully baked, ...

These too will likely improved, but there will occasionally be issues when
some new managed service is introduced and users struggle to consume it,
and have complex unanticipated requirements.

-- 
	Viktor.

v2.30.2 | Report a Bug | By Email | System Status